Simple Post-Training Robustness Using Test Time Augmentations and Random Forest

TL;DR

This paper introduces ARF, a simple post-training method that enhances DNN robustness against adversarial attacks by using test-time augmentations and a random forest classifier, without altering the original model.

Contribution

The work proposes ARF, a novel post-training robustness technique that leverages test-time augmentations and a random forest to improve adversarial resilience of pretrained DNNs.

Findings

Achieves state-of-the-art adversarial robustness on various attacks.

Maintains high accuracy on natural images with minimal compromise.

Effective against adaptive white-box attacks when combined with adversarial training.

Abstract

Although Deep Neural Networks (DNNs) achieve excellent performance on many real-world tasks, they are highly vulnerable to adversarial attacks. A leading defense against such attacks is adversarial training, a technique in which a DNN is trained to be robust to adversarial attacks by introducing adversarial noise to its input. This procedure is effective but must be done during the training phase. In this work, we propose Augmented Random Forest (ARF), a simple and easy-to-use strategy for robustifying an existing pretrained DNN without modifying its weights. For every image, we generate randomized test time augmentations by applying diverse color, blur, noise, and geometric transforms. Then we use the DNN's logits output to train a simple random forest to predict the real class label. Our method achieves state-of-the-art adversarial robustness on a diversity of white and black box attacks with minimal compromise on the natural images' classification. We test ARF also against numerous adaptive white-box attacks and it shows excellent results when combined with adversarial training. Code is available at https://github.com/giladcohen/ARF.